Publication Details
On Reliability of JA3 Hashes for Fingerprinting Mobile Applications
Burgetová Ivana, Ing., Ph.D. (DIFS)
Ryšavý Ondřej, doc. Ing., Ph.D. (DIFS)
Victor Malombe
Mobile application, TLS fingerprinting, network forensics, encrypted
communication
In recent years, mobile communication has become more secure due to TLS
encapsulation. TLS enhances user security by encrypting transmitted data, on the
other hand it limits network monitoring and data capturing which is important for
digital forensics. When observing mobile traffic today most transmissions are
encapsulated by TLS. Encrypted packets causes traditional methods to be obsolete
for device fingerprinting that require visibility of protocol headers of HTTP,
IMAP, SMTP, IM, etc. As a reaction to data encryption, new methods like TLS
fingerprinting have been researched. These methods observe TLS parameters which
are exchanged in an open form before the establishment of a secure channel. TLS
parameters can be used for identification of a sending application. Nevertheless,
with the constant evolution of TLS protocol suites, it is not easy to create
a unique and stable TLS fingerprint for forensic purposes. This paper presents
experiments with JA3 hashes on mobile apps. We focus especially on the stability,
reliability and uniqueness of JA3 fingerprints for digital forensics.
@inproceedings{BUT168482,
author="Petr {Matoušek} and Ivana {Burgetová} and Ondřej {Ryšavý} and Malombe {Victor}",
title="On Reliability of JA3 Hashes for Fingerprinting Mobile Applications",
booktitle="Digital Forensics and Cyber Crime. ICDF2C 2020",
year="2021",
series="Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering",
volume="351",
pages="1--22",
publisher="Springer International Publishing",
address="Boston",
doi="10.1007/978-3-030-68734-2\{_}1",
isbn="978-3-030-68733-5",
url="https://link.springer.com/chapter/10.1007%2F978-3-030-68734-2_1"
}